Merge pull request #193 from esben-semmle/js/reduce-precision-of-remote-property-injection

asger-semmle · web-flow · commit a3562aa4a713 · 2018-09-14T11:14:13.000+01:00
JS: lower @precision of js/remote-property-injection
diff --git a/change-notes/1.19/analysis-javascript.md b/change-notes/1.19/analysis-javascript.md
@@ -16,6 +16,6 @@
 |--------------------------------|----------------------------|----------------------------------------------|
 | Regular expression injection | Fewer false-positive results | This rule now identifies calls to `String.prototype.search` with more precision. |
 | Unbound event handler receiver | Fewer false-positive results | This rule now recognizes additional ways class methods can be bound. |
-
+| Remote property injection | Fewer results | The precision of this rule has been revised to "medium". Results are no longer shown on LGTM by default. |
 
 ## Changes to QL libraries
diff --git a/javascript/ql/src/Security/CWE-400/RemotePropertyInjection.ql b/javascript/ql/src/Security/CWE-400/RemotePropertyInjection.ql
@@ -5,7 +5,7 @@
  *   
  * @kind problem
  * @problem.severity warning
- * @precision high
+ * @precision medium
  * @id js/remote-property-injection
  * @tags security
  *       external/cwe/cwe-250

Original file line number	Diff line number	Diff line change
`@@ -5,7 +5,7 @@`
`5`	`5`	`*`
`6`	`6`	`* @kind problem`
`7`	`7`	`* @problem.severity warning`
`8`		`- * @precision high`
	`8`	`+ * @precision medium`
`9`	`9`	`* @id js/remote-property-injection`
`10`	`10`	`* @tags security`
`11`	`11`	`* external/cwe/cwe-250`